File: PtpMgr/PtpApp/PtpOperation.c (probably)
Function: PTP_NotifyBtStatus()

The handler copies the received message into a local stack buffer of size 0x120 bytes. The incoming message has no byte constraints and can be way bigger than this fixed size.
Note: The vulnerability only triggers over USB and not over WiFi.

Decompiling the vulnerable code will look roughly like this:

input_size = ctx->get_data_size_ptr(ctx->handle);
// EI-DBG: The local buffer is of size 0x120 bytes
bzero(local_buffer, 0x120);
PTP_FillUpResponse(&msg, args);
// EI-DBG: Input is read according to the attacker controlled "input_size"
if ( ctx->recv_data_ptr(ctx->handle, local_buffer, input_size) >= 0 )
    COM_NotifyBtStatus(input_size, param1, local_buffer);
some_fptr = global_ptp_memory_context->adapterStatusCallback;
if ( some_fptr )
    some_fptr(global_ptp_memory_context->fptr_108, 12, param1);
result = PTP_SendResponse(ctx, &msg) < 0;
if ( result )
    ... // error handling
    result = 1;
return result;